Energise to trip?

De-energise to trip?

Simple Choice?
Tony Foord & Colin Howard
www.4-sightConsulting.co.uk
+44 (0)1 582 462 324
Slide DT/ET - 1

Examples

Slide DT/ET - 2

Overview

Available guidance
Why do trip systems fail?
Trip system issues
System failure modes
3 examples
Architecture and Spurious trip frequency
Diagnostics and Reverse acting transmitters
References
Conclusions
Slide DT/ET - 3

Traditional Choices

Safety

Availability

De-energise
to Trip (DT)

Energise to
Trip (ET)

Operation

Slide DT/ET - 4

Available Guidance
Very little specific guidance published
X One or two paragraphs only
X

Concentrate on fail safe

WHY?
Custom and practice?
Taken for granted?
Principles assumed?
Slide DT/ET - 5

Overpressure protection for a

turbine driven compressor

Slide DT/ET - 6

Why do trip systems fail?

Inadequate
specification
Inadequate design
and
implementation
Inadequate
installation and
commissioning
Inadequate
operation and
maintenance
Inadequate
modification
Source: Out of Control 2003

Slide DT/ET - 7

Trip system issues

SIF Requirements
Passive / active systems
Utility Requirements
Effect on Fail to Danger and Spurious Trips

Design policy / Architecture / Overrides (defeats)

People issues
Operate / Test / Repair policies
Component reliability
Diagnostics
Slide DT/ET - 8

System failure modes

Source: Sintef PDS Method Handbook 2006

Slide DT/ET - 9

Energise or De-energise to Trip?

LSZ

Process
unit
consumers

SIF

OAF

Surge
Drum

Emergency Feed

Slide DT/ET - 10

Addition of Reactor Inhibitor Options

HP N2
Inhibitor

De-energise to Trip

Inhibitor

Dump tank
BD1

Vent
Feed A

TT
1

PT
1

N2 In

Feed B

Energise to Trip

HW In

CW Out
CW In
HW Out

Product Out
Slide DT/ET - 11

Architecture and Spurious Trip

Frequency
1
1oo1

1oo2

0.1

Frequency

0.01
0.001
0.0001
0.00001
0.000001
0.0000001
Slide DT/ET - 12

1oo3

2oo3

Valve failure modes ~ 80% open

Failure mode
Blocking

%
5

External leak

15

Passing

60

Sticking

20

Data source: Smith: Reliability, Maintainability and Risk

Slide DT/ET - 13

Relay failure modes ~ 90% open

Failure mode

Contacts
short circuit
Contacts
open circuit
Coil

10
80
10

Data source: Smith: Reliability, Maintainability and Risk

Slide DT/ET - 14

Overpressure protection for a

turbine driven compressor

Slide DT/ET - 15

DT fails to danger

Slide DT/ET - 16

ET fails to danger

Key to
Fault
Trees

2oo3 sensors
2oo3 fail
sensors
fail

Both final
Both FEs fail
element
Logicsolver
solver
Logic
hardware fails
hardware fails

2
Sensors fail

Sensors
Sensor 1 fails
Sensor 1 fails

Sensor 2 fails
Sensor 2 fails

Sensor 3 fails
Sensor 3 fails

Sensor 1 fails

Sensor 2 fails

Sensor 3 fails

Logic solver fails

Slide DT/ET - 17

Logic
solver

Both FEs fail

Final element
element
Final
1 fails
1 fails

Final element
element
Final
2
2 fails
fails

FE 1 fails

FE 2 fails

Final
elements

DT (left) and ET fails to danger

Key to
Fault
Trees

2oo3 sensors
2oo3 fail
sensors
fail

Both final
Both FEs fail
element
Logicsolver
solver
Logic
hardware fails
hardware fails

2
Sensors fail

Sensors
Sensor 1 fails
Sensor 1 fails

Sensor 2 fails
Sensor 2 fails

Sensor 3 fails
Sensor 3 fails

Sensor 1 fails

Sensor 2 fails

Sensor 3 fails

Logic solver fails

Slide DT/ET - 18

Logic
solver

Both FEs fail

Final element
element
Final
1 fails
1 fails

Final element
element
Final
2 fails
fails
2

FE 1 fails

FE 2 fails

Final
elements

DT spurious trips

Slide DT/ET - 19

ET spurious trips

Slide DT/ET - 20

DT (left) and ET spurious trips

Key to
Fault
Trees

2oo3 sensors
2oo3 fail
sensors
fail

Both final
Both FEs fail
element
Logicsolver
solver
Logic
hardware fails
hardware fails

2
Sensors fail

Sensors
Sensor 1 fails
Sensor 1 fails

Sensor 2 fails
Sensor 2 fails

Sensor 3 fails
Sensor 3 fails

Sensor 1 fails

Sensor 2 fails

Sensor 3 fails

Logic solver fails

Slide DT/ET - 21

Logic
solver

Both FEs fail

Final element
element
Final
1 fails
1 fails

Final element
element
Final
2 fails
fails
2

FE 1 fails

FE 2 fails

Final
elements

Diagnostics and Reverse Acting

Transmitters
Safety Function operates on high signals
Transmitter failure leads to low signal
z Diagnostics require separate input
y Reverse acting transmitter provides
automatic protection
Avoids technical complexity BUT introduces
human factors and management complexity

Slide DT/ET - 22

References - 1
http://www.hse.gov.uk/comah/sragtech/index.htm
which includes links to Case Studies illustrating the
importance of Control and Protection Systems, for example
Texaco Refinery - Milford Haven - Explosion and Fires (24/7/1994)
International Biosynthetics Ltd (7/12/1991)
BP Oil (Grangemouth) Refinery Ltd (22/3/1987)
Seveso - Icmesa Chemical Company (9/7/1976)

Out of Control (2003), Second edition, HSE Books, ISBN 07176-2192-8

IEC 61508 (1998 & 2000), Functional safety of
electrical/electronic/programmable electronic safety-related
systems Parts 1-7
Slide DT/ET - 23

References - 2
Reliability Prediction Method For Safety Instrumented
Systems. PDS Method Handbook (2006) SINTEF
ISA-TR84.00.02 (2002) - Safety Instrumented Function
(SIF) - Safety Integrity Level (SIL) Evaluation Techniques
Part 1: Introduction page 57
Reliability Maintainability and Risk (2001) David J Smith
ISBN 0-7506-5168-7
Safety Shutdown Systems Design, Analysis and
Justification (1998) Paul Gruhn and Harry Cheddie ISBN155617-665-1
Safety-Critical Computer Systems (1996), Neil Storey,
ISBN 0-201-42787-7
Safeware: system safety and computers (1995), Nancy
Leveson, ISBN 0-201-11972-2
Slide DT/ET - 24

Available Guidance on ET
Is there anything else out there?

Slide DT/ET - 25

Conclusions
Choice less clear-cut than at first sight
Need to look holistically
Wider than simply the core SIF

ET can be made to work possibilities

of getting it wrong are greater
ET inherently more complex
Does everyone understand the
complexity?

Some DT systems have ET elements

Slide DT/ET - 26